Adversarially Robust Learning with Tolerance

TL;DR

This paper introduces the concept of tolerant adversarial PAC-learning, providing new theoretical guarantees for existing algorithms and proposing a novel compression-based method that effectively handles metric perturbations.

Contribution

It establishes PAC-learning guarantees for perturb-and-smooth approaches under tolerance and introduces a new compression-based algorithm with polynomial dependence on VC-dimension.

Findings

Perturb-and-smooth approach PAC-learns with sample complexity depending on VC-dimension and doubling dimension.

Traditional perturb-and-smooth can fail in non-tolerant settings.

Novel compression-based algorithm achieves polynomial dependence on VC-dimension and doubling dimension.

Abstract

We initiate the study of tolerant adversarial PAC-learning with respect to metric perturbation sets. In adversarial PAC-learning, an adversary is allowed to replace a test point $x$ with an arbitrary point in a closed ball of radius $r$ centered at $x$. In the tolerant version, the error of the learner is compared with the best achievable error with respect to a slightly larger perturbation radius $(1+\gamma)r$. This simple tweak helps us bridge the gap between theory and practice and obtain the first PAC-type guarantees for algorithmic techniques that are popular in practice. Our first result concerns the widely-used ``perturb-and-smooth'' approach for adversarial learning. For perturbation sets with doubling dimension $d$, we show that a variant of these approaches PAC-learns any hypothesis class $\mathcal{H}$ with VC-dimension $v$ in the $\gamma$-tolerant adversarial setting with $O\left(\frac{v(1+1/\gamma)^{O(d)}}{\varepsilon}\right)$ samples. This is in contrast to the traditional (non-tolerant) setting in which, as we show, the perturb-and-smooth approach can provably fail. Our second result shows that one can PAC-learn the same class using $\widetilde{O}\left(\frac{d.v\log(1+1/\gamma)}{\varepsilon^2}\right)$ samples even in the agnostic setting. This result is based on a novel compression-based algorithm, and achieves a linear dependence on the doubling dimension as well as the VC-dimension. This is in contrast to the non-tolerant setting where there is no known sample complexity upper bound that depend polynomially on the VC-dimension.